[BreachExchange] Data Protection Is a Group Effort

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/data-protection-is-a-group-effort/a/d-id/1340406?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When a General Data Protection Regulation (GDPR) fine is levied on an
organization, it doesn't come out of individual employees' paychecks —
but perhaps there should be some incentive for all employees to take
this more seriously. After all, every employee contributes to the
company's ability to protect customer data. Anyone in an organization
could fall victim to a social engineering attack, paving the way for a
bad actor to access the corporate network. Data privacy must be a
group effort, which is why we take an all-hands-on-deck approach,
whereby every single employee, consultant, contractor, and intern
works together to protect corporate data.

The protection of data must never fall solely on the shoulders of one
individual or team. For example, our organization has nearly 9,000
employees across the globe, and only a dozen of these folks work in
the privacy and compliance department. That's roughly 0.1% of our
workforce. We are not anomalous in this regard either, as the privacy
department traditionally makes up a small percentage of an
organization. It is illogical to solely rely on these folks to keep
your organization safe — especially for large companies. Starting with
the data protection officer (DPO), organizations should take a
top-down approach, where every employee takes ownership of their own
individual data privacy efforts.

Keep Everyone Educated
One of the most important things a DPO can do is to construct
effective data privacy training modules. After every employee and
contractor completes these training courses, be sure to also require
quizzes to ensure that everyone actually knows their stuff. Based on
the results of these quizzes, every team can then be awarded a data
privacy score. Much like law school, these teams' respective scores
can then be shared in an open forum for all to see. This is not to
shame those who aren't up to date on privacy principles; it's an
effort to empower every individual to take ownership of his or her own
data privacy initiatives. It's definitely important to keep employees
up to date on data privacy legislation, such as GDPR, Brazil's Lei
Geral de Proteção de Dados, and the California Privacy Rights Act;
however, it's far more important to emphasize privacy principles as
opposed to laws.

Stress Privacy Principles
Although everyone needs to be familiar with privacy legislation, it is
far more important to be well-versed in the principles of data
privacy. For example, it's vital to emphasize the principle of data
minimization: No employee should collect any customer information
other than data that he or she absolutely needs. Moreover, this data
should be retained for the shortest amount of time possible. For those
who work in research and development, the principle of privacy by
design is imperative. From any given product's inception, developers
and designers must be cognizant of all privacy repercussions that are
likely to arise down the line. As DPOs often point out, new privacy
laws are always coming down the pike; however, if everyone has been
keeping privacy principles top of mind, the organization will be well
on its way toward compliance with any law.

Write Processes Down
Formally record your organization's data privacy processes and be sure
to document the collection and deletion of customer data. Documented
data privacy processes and policies as well as respective teams' data
privacy scores certainly come in handy if and when auditors come
knocking. Also, any employees who directly handle customer information
should always keep their data inventories on hand — not just for
auditors, but also for subject access requests as well.

When every employee is well-versed in customer data privacy
principles, the DPO can rest assured that the enterprise's sensitive
data is in good hands. Perhaps most importantly, by placing a premium
on education, documentation, and awareness of privacy principles, the
individual employees feel empowered. As all good DPOs make clear, this
is truly an all-hands-on-deck endeavor. For better or worse, we're all
in this together.